RE: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Mon, 30 Apr 2018, Tim Hollebeek wrote: What about the cases we discussed where there is DNSSEC, but only for a subtree? I don't know what that means? You mean a trust island not chained to the root? If so, then yes, that is a zone without DNSSEC since it is missing a DS in its parent (or

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

>> Sent: Monday, April 30, 2018 11:07 AM >> To: Tim Hollebeek <tim.holleb...@digicert.com> >> Cc: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org> >> Subject: RE: "multiple perspective validations" - AW: Regional BGP hi

RE: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

leb...@digicert.com> > Cc: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> > Subject: RE: "multiple perspective validations" - AW: Regional BGP hijack of > Amazon DNS infrastructure > > On Mon, 30 Apr 2018, Tim Hollebeek via de

RE: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Mon, 30 Apr 2018, Tim Hollebeek via dev-security-policy wrote: I don't think this opinion is in conflict with the suggestion that we required DNSSEC validation on CAA records when (however rarely) it is deployed. I added this as https://github.com/mozilla/pkipolicy/issues/133 One of the

RE: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

> I don't think this opinion is in conflict with the suggestion that we > required > DNSSEC validation on CAA records when (however rarely) it is deployed. I > added this as https://github.com/mozilla/pkipolicy/issues/133 One of the things that could help quite a bit is to only require DNSSEC

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Thu, Apr 26, 2018 at 6:59 AM, Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, April 26, 2018 at 11:45:15 AM UTC, Tim Hollebeek wrote: > > > > which is why in the near future we can hopefully use RDAP over TLS > > > > (RFC > > > > 7481) instead

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Thursday, April 26, 2018 at 11:45:15 AM UTC, Tim Hollebeek wrote: > > > which is why in the near future we can hopefully use RDAP over TLS > > > (RFC > > > 7481) instead of WHOIS, and of course since the near past, DNSSEC :) > > > > I agree moving away from WHOIS to RDAP over TLS is a good low

RE: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

> > which is why in the near future we can hopefully use RDAP over TLS > > (RFC > > 7481) instead of WHOIS, and of course since the near past, DNSSEC :) > > I agree moving away from WHOIS to RDAP over TLS is a good low hanging fruit > mitigator once it is viable. My opinion is it is viable now,

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Wednesday, April 25, 2018 at 3:48:07 PM UTC+2, Paul Wouters wrote: > On Wed, 25 Apr 2018, Ryan Hurst via dev-security-policy wrote: > > > Multiple perspectives is useful when relying on any insecure third-party > > resource; for example DNS or Whois. > > > > This is different than requiring

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Wed, Apr 25, 2018 at 7:28 AM, Buschart, Rufus via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Ryan! > > The "multiple perspective validations" is an interesting idea. Did you > think about combining it with CAA checking? I could imagine having a new > tag, e.g.

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On 25/04/2018 18:01, Quirin Scheitle wrote: Hi Jakob, As someone who has actually /removed/ DNSSEC from some domains after it caused serious ripling failures, the brokenness of DNSSEC does not come from how often DNSSEC fails to validate valid requests but from how easily DNSSEC can crash a

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Wed, Apr 25, 2018 at 11:01 AM, Quirin Scheitle via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > This is not about whether or not domains should deploy DNSSEC. > Domains are are their own right to decide whether or not they see DNSSEC > fit for their environment. >

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

Hi Jakob, > As someone who has actually /removed/ DNSSEC from some domains after it > caused serious ripling failures, the brokenness of DNSSEC does not come > from how often DNSSEC fails to validate valid requests but from how > easily DNSSEC can crash a domain, making it too risky to deploy. >

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On 25/04/2018 17:06, Quirin Scheitle wrote: On 25. Apr 2018, at 16:11, Matthew Hardeman via dev-security-policy wrote: With the right combination of DNSSEC validation, CAA records as utilized today, […] Hi all, I have advertised making DNSSEC

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

> On 25. Apr 2018, at 16:11, Matthew Hardeman via dev-security-policy > wrote: > > With the right combination of DNSSEC validation, CAA records as utilized > today, […] Hi all, I have advertised making DNSSEC validation mandatory for CAA before, bot

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

> > Multiple perspectives is useful when relying on any insecure third-party > resource; for example DNS or Whois. > > This is different than requiring multiple validations of different types; > an attacker that is able to manipulate the DNS validation at the IP layer > is also likely going to be

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Wed, Apr 25, 2018 at 8:47 AM, Paul Wouters via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > BGP hijack at once. In the end, that's a numbers game with a bunch of > race conditions. But hey, it might lead to actual BGP security getting > deployed :) > I'm an

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Wed, 25 Apr 2018, Ryan Hurst via dev-security-policy wrote: Multiple perspectives is useful when relying on any insecure third-party resource; for example DNS or Whois. This is different than requiring multiple validations of different types; an attacker that is able to manipulate the DNS

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Wednesday, April 25, 2018 at 1:28:43 PM UTC+2, Buschart, Rufus wrote: > Hi Ryan! > > The "multiple perspective validations" is an interesting idea. Did you think > about combining it with CAA checking? I could imagine having a new tag, e.g. > "allowedMethods", in which the legitimate owner

"multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

Hi Ryan! The "multiple perspective validations" is an interesting idea. Did you think about combining it with CAA checking? I could imagine having a new tag, e.g. "allowedMethods", in which the legitimate owner of a domain can specify the set of allowed methods to validate his domain. As an